NSA and Army Accidentally Expose 100GB of Classified Data

The NSA has gotten a lot of bad press this year in relation to cybersecurity. Earlier this year, it was reported that the Wannacry malware was based upon tools stolen from the NSA. The theft prompted Microsoft to attack the agency comparing the theft of the tools to the U.S. Army “having some of its Tomahawk missiles stolen.”

Well now, it turns out that both the Army and the NSA have messed up. UpGuard conducted an investigation into the Army Intelligence and Security Command and found that the agency had 100GB of data stored on a publicly accessible Amazon server.

In their blog post, they describe the situation as follows:

‘Among the most compelling downloadable assets revealed from within the exposed bucket is a virtual hard drive used for communications within secure federal IT environments, which, when opened, reveals classified data labeled NOFORN – a restriction indicating a high level of sensitivity, prohibited from being disseminated even to foreign allies. The exposed data also reveals sensitive details concerning the Defense Department’s battlefield intelligence platform, the Distributed Common Ground System – Army (DCGS-A) as well as the platform’s troubled cloud auxiliary, codenamed “Red Disk.”’

While much of the data on the servers require users to access the Pentagon, the lapse is still more than a bit troubling considering that some of the data was marked Top Secret and others bore the label NOFORN which means it cannot even be shared with top U.S. allies such as the United Kingdom. In addition to the classified data, the server also contained partial passwords that, if cracked, could potentially grant access to restricted files.

In terms of preventing this problem, UpGuard noted that the solution was a fairly simple one, but would require the Department of Defense to stop using outside contractors since that can make it more difficult for the various agencies to keep track of such things.

‘Third-party vendor risk remains a silent killer for enterprise cyber resilience. The transfer of information to an external contractor, such as Invertix, exposes the originating enterprise (in this case, INSCOM) to the consequences of a breach, but without direct oversight of how the data is handled.’

Eric is an avid tech junkie, gamer, and comic fan. When he's not working on his PC, you'll find him at your local comic book shop.